Claims 



WHAT IS CLAIMED IS: 



1 1 . A method for authenticating a principal, comprising: 

2 receiving an access request from a first principal for access to a second 

3 principal; 

4 evaluating a contract to acquire a credential for the first principal; and 

5 transmitting the credential to the first principal for use in interacting with the 

6 second principal, wherein the credential includes authentication information, 

7 aggregated attributes and aggregated policies for use by the first principal in 

8 interacting with the second principal. 

1 2. The method of claim 1 further comprising determining if the first principal is 

2 authenticated based on the contract and if the first principal is not authenticated 

3 establishing an authentication session with the first principal to properly 

4 authenticate the first principal based on the contract. 

1 3. The method of claim 1 further comprising: 

2 receiving an additional access request from the first principal for access to a 

3 third principal; 

4 evaluating a new contract to acquire a second credential for the first 

5 principal; and 

6 transmitting the second credential to the first principal for use in interacting 

7 with the third principal. 

1 4. The method of claim 1 fiirther comprising removing the contract or revoking 

2 the credential when an expiring event is detected during a session with the first 

3 principal. 
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1 5. The method of claim 1 further comprising: 

2 receiving a new request from a third principal, wherein the new request 

3 desires attribute information associated with the first principal; 

4 acquiring a new contract for the third principal; 

5 evaluating the new contract to acquire a new credential for the third 

6 principal; and 

7 transmitting the new credential to the third principal for use in authenticating 

8 and interacting with the first principal to acquire the attribute information. 

1 6. The method of claim 1 further comprising: 

2 receiving a modification to the contract from the first principal; 

3 determining if the modification is permissible according to the contract; 

4 updating the contract if the modification is permissible; 

5 deriving a modified credential from the contract; and 

6 transmitting the modified credential to the first principal for use in 

7 interacting with the second principal. 

1 7. The method of claim 1 further comprising: 

2 receiving a new request from the first principal for establishing a trust 

3 relationship with the second principal, wherein the trust relationship is established 

4 via communications having public-private key pairs between the first principal and 

5 the second principal; 

6 determining if the trust relationship is permissible; 

7 receiving a dynamically generated public key from the first principal 

8 associated with a dynamically generated private key, the dynamically generated 

9 private key maintained by the first principal; and 

10 making the dynamically generated public key accessible to the second 

1 1 principal. 

1 8. The method of claim 7 further comprising: 

2 receiving from a third principal a static rooted public key associated with the 
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second principal; and 

transmitting the static rooted public key to the first principal for use in 
interacting with the second principal in the trust relationship. 



1 9. A method for authenticating a principal, comprising: 

2 receiving first requests from a first principal to interact with one or more 

3 different principals; 

4 acquiring first contracts for the first principal, wherein each first contract is 

5 associated with a different one of the one or more different principals; 

6 acquiring a second contract for each of the one or more different principals; 

7 selectively assembling and transmitting first credentials for the first requests 

8 for use by the first principal in interacting with the one or more different principals; 

9 and 

10 selectively assembling and transmitting second credentials for other requests 

1 1 associated with and used by the one or more different principals when interacting 

12 with the first principal or when interacting with different ones of the one or more 

1 3 different principals. 

1 10. The method of claim 9 further comprising: 

2 receiving modifications to one or more of the first contracts from the first 

3 principal or from one or more of the one or more different principals; 

4 selectively assembling and transmitting modified first credentials to the first 

5 principal based on the modifications. 

1 11. The method of claim 9 further comprising: 

2 receiving modifications to one or more of the second contracts from the first 

3 principal or from the one or more of the one or more different principals; 

4 selectively assembling and transmitting modified second credentials to the 

5 one or more different principals affected by the modifications. 
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1 12. The method of claim 9 further comprising: 

2 detecting an event that renders one or more of the first or second contracts 

3 stale; and 

4 revoking one or more of the first or second credentials which are affected by 

5 the event. 

1 13. The method of claim 9 wherein the selectively assembling of the first and 

2 second credentials further includes: 

3 acquiring appropriate authentication certificates for each of the first and 

4 second credentials; and 

5 acquiring aggregated attribute information and aggregated policies for each 

6 of the authentication certificates. 

1 14. The method of claim 13 further comprising, expressing the authentication 

2 certificates within the first and second credentials as assertions. 

1 15. The method of claim 1 3 wherein the acquiring the authentication certificates, 



2 the aggregated attribute information, and the aggregated policies further include 

3 accessing one or more identity stores having authentication information, attributes, 

4 and access policies associated with the first principal and'the one or more different 

5 principals. 



1 16. A principal authentication system, comprising: 

2 a first principal service; 

3 a second principal service; and 

4 an identity service, wherein the identity service acquires and manages a first 

5 contract on behalf of the first principal service and a second contract on behalf of 

6 the second principal service, and wherein the identity service provides a first 

7 credential to the first principal service and a second credential to the second 

8 principal service, the credentials used by the first principal service and the second 

9 principal service to interact with one another. 
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1 1 7. The principal authentication system of claim 16 wherein the first or the 

2 second credential is dynamically modified by the identity service and communicated 

3 to the affected principal service. 

1 18. The principal authentication system of claim 17 wherein the dynamic 

2 modification to the first or the second credential is driven by modifications received 

3 from the first principal service or the second principal service. 

1 19. The principal authentication system of claim 17 wherein the dynamic 

2 modification to the first or the second credential is driven by modifications received 

3 from a third principal service authorized to provide the dynamic modification. 

1 20. The principal authentication system of claim 16 wherein the identity service 

2 includes alias identity information in at least one of the first and the second 

3 credentials. 

1 21 . The principal authentication system of claim 16 wherein the first and second 

2 credentials include a first certificate for the first principal and a second certificate 

3 for the second principal, the certificates include identity information and techniques 

4 for authenticating the first and second principals. 

1 22. The principal authentication system of claim 21 wherein the first and second 

2 credentials further include aggregated attribute information and aggregated policies 

3 for the first and second principals, the aggregated attribute information identifying 

4 types of data associated with the first and second principals and the aggregated 

5 policies defining operations which are permissibly performed or not permitted 

6 during the first and the second principal interactions. 

1 23. A principal authentication system, comprising: 

2 one or more identity stores; and 



Attorney Docket No.: 1565.070US1 29 
Client Docket No.: IDR-687 



3 an identity service; 

4 wherein the identity service dynamically establishes and manages 

5 authentication and interactions for a plurality of principals with respect to sessions 

6 occurring between the principals, the identity service acquires contracts for each of 

7 the principals and dynamically assembles one or more credentials for each of the 

8 principals for use in the sessions with one another, the one or more credentials 

9 assembled from the one or more identity stores based on the contracts. 

1 24. The principal authentication system of claim 23 wherein the identity service 

2 substitutes alias identity information for identity information included within a 

3 number of the credentials. 

1 25. The principal authentication system of claim 24 wherein the identity service 

2 updates one or more of the identity stores with the alias identity information. 

1 26. The principal authentication system of claim 23 wherein the credentials 

2 include authentication certificates used for authentication the principals to one 

3 another during the sessions. 

1 27. The principal authentication system of claim 26 wherein the credentials 

2 further include selective aggregated attributes and aggregated policies acquired from 

3 the one or more identity stores according to the contracts, the selective aggregated 

4 attributes identify types of data associated with the principals, and the selective 

5 aggregated policies identify at least one of permissible operations and non- 

6 permissible operations that can be processed against the selective aggregated 

7 attributes during the sessions between the principals. 

1 28. The principal authentication system of claim 23 further comprising a trust 

2 data store associated with the identity service and separate trust data stores 

3 associated with each of the principals, wherein the identity service manages the trust 

4 data store and authorizes the principals to dynamically update their respective 
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5 separate trust data stores with selective identities and key information associated 

6 with the principals during the sessions between the principals. 

1 29. The principal authentication system of claim 23 wherein the identity service 

2 communicates modified credentials to the principals during interactions between the 

3 principals. 

1 30. The principal authentication system of claim 23 wherein the identity service 

2 revokes a number of the credentials for the principals when expiring events are 

3 detected. 
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